Adobe March 2026 Security Updates Across Multiple Products
Adobe published its March 2026 security advisories covering multiple vulnerabilities across a broad set of products, with impacts including remote code execution (RCE), elevation of privilege, cross-site scripting (XSS), information disclosure, denial of service, and security restriction bypass. Products called out include Adobe Commerce (including Adobe Commerce B2B and Magento Open Source), Illustrator, Acrobat/Reader, Premiere Pro, Experience Manager (AEM), Substance 3D Painter, Substance 3D Stager, and the Adobe DNG SDK.
The Hong Kong CERT bulletin characterized the overall risk level of the March release as Medium, listing eight medium-risk product advisories (e.g., APSB26-05, APSB26-18, APSB26-24, APSB26-26). Canada’s Cyber Centre alert (AV26-215) echoed the same advisory set and provided affected version ranges (e.g., Illustrator 2025 prior to 29.8.4/30.1, Acrobat/Reader DC prior to 25.001.21265, Premiere Pro prior to 25.5, AEM Cloud Service and 6.5 LTS/6.5 SP23 and prior, and DNG SDK prior to 1.7.1 build 2471), urging organizations to review Adobe’s advisories and apply the required updates.
Timeline
Mar 11, 2026
HKCERT issues bulletin on Adobe March 2026 security update
On 2026-03-11, HKCERT published a security bulletin highlighting Adobe's March 2026 monthly security update. The bulletin appears to reference the same set of Adobe advisories released the previous day.
Mar 10, 2026
Adobe publishes March 2026 security advisories for multiple products
On 2026-03-10, Adobe released multiple security advisories covering vulnerabilities in products including Adobe Commerce, Magento Open Source, Illustrator, Acrobat/Reader, Premiere Pro, several Substance 3D applications, and Adobe Experience Manager. The advisories identified affected versions and indicated that updates were required to remediate the issues.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Adobe Patches Critical RCE Flaws in FrameMaker Publishing, Commerce, and Magento
Adobe released security updates for multiple critical vulnerabilities affecting **Adobe FrameMaker Publishing Server**, **Adobe Commerce**, **Magento Open Source**, and the **Adobe Commerce Webhooks** extension. The most serious issues include `CVE-2024-30299` and `CVE-2024-30300` in FrameMaker Publishing Server and `CVE-2024-34102` in Adobe Commerce and Magento, with severity reaching **CVSS 10.0**. Successful exploitation could allow **arbitrary code execution**, **security feature bypass**, and **privilege escalation**. Adobe also issued critical fixes for **Adobe Experience Manager**, **Creative Cloud Desktop**, **Photoshop**, and **Substance 3D Stager** to address vulnerabilities that could enable code execution, unauthorized system access, and exposure of sensitive data. National cybersecurity authorities highlighted the breadth and severity of the flaws and urged organizations using affected Adobe products to apply vendor patches immediately in line with Adobe guidance.
6 days ago
Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
1 months ago
Adobe Issues Security Bulletins for Acrobat and Photoshop
Adobe published security bulletins for **Acrobat** and **Photoshop**, identifying vulnerabilities in two widely deployed creative and document-processing products. The advisories, tracked as `APSB26-43` for Acrobat and `APSB26-40` for Photoshop, were released through Adobe's product security bulletin channel and signal that security updates are available for affected software. The coordinated disclosures indicate ongoing remediation across Adobe's desktop application portfolio, with organizations using Acrobat for PDF workflows and Photoshop for image editing advised to review the relevant bulletins and apply vendor-provided patches. Because both products are common in enterprise environments, defenders should prioritize update validation and deployment to reduce exposure from unpatched client-side software.
2 weeks ago